March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – TeamTNT Gains Full Remote Takeover of Cloud Instances
September 10, 2020
Rewterz Threat Advisory – Multiple Palo Alto Network Security Vulnerabilities
September 11, 2020
Rewterz Threat Alert – TeamTNT Gains Full Remote Takeover of Cloud Instances
September 10, 2020
Rewterz Threat Advisory – Multiple Palo Alto Network Security Vulnerabilities
September 11, 2020
Severity
High
Analysis Summary
NetWalker (also known as Mailto) is the name given to a sophisticated family of Windows ransomware that has targeted corporate computer networks, encrypting the files it finds, and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. Discovered in August 2019, NetWalker has gathered all the attention required to scare off corporate clients and has been targeting organizations in targeted attacks. NetWalker operates as a closed-access RaaS — ransomware-as-a-service portal. Different groups and hackers sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.
Tools Used By NetWalker
- LaZagne
- Mimikatz
- NetWalker
- NL Brute
- PsExec
- pwdump
- SoftPerfect Network Scanner
- TeamViewer
- Windows Credential Editor
Vulnerabilities Exploited By NetWalker
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.
Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka “Win32k Elevation of Privilege Vulnerability.
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when an attacker runs a specially crafted application, aka “Windows COM Elevation of Privilege Vulnerability.
Impact
- Remote code execution
- Files encryption
- Privilege escalation